Document Comparison
Secure-Software-Life-Cycle-(SLC)-Program-Guide-v1.pdf
→
PCI-Secure-SLC-Program-Guide-v1_1.pdf
62% similar
31 → 31
Pages
9199 → 9443
Words
82
Content Changes
From Revision History
- June 2019 1.0 Initial release.
Content Changes
82 content changes. 42 administrative changes (dates, page numbers) hidden.
Added
p. 2
June 2019 1.0 Initial release.
February 2021 1.1 Edits required to support the expansion of the Secure SLC Program and errata updates to clarify language and align terminology across SSF Program documents.
February 2021 1.1 Edits required to support the expansion of the Secure SLC Program and errata updates to clarify language and align terminology across SSF Program documents.
Added
p. 5
Definitions: For purposes of this document (including Section A.3 of Appendix A hereto):
“Eligible Software” means any software or software component that may be present in a payment environment and either (a) is directly involved in storing, processing, or transmitting payment data (“Payment Software”) or (b) does not directly handle payment data but may share resources defined within a payment environment; and "Assessor" refers to either a Secure SLC Assessor Company or Secure SLC Assessor, as the context requires.
“Eligible Software” means any software or software component that may be present in a payment environment and either (a) is directly involved in storing, processing, or transmitting payment data (“Payment Software”) or (b) does not directly handle payment data but may share resources defined within a payment environment; and "Assessor" refers to either a Secure SLC Assessor Company or Secure SLC Assessor, as the context requires.
Added
p. 7
Roles and responsibilities of the primary stakeholders participating in the Secure SLC Program; Processes for Vendors wanting to validate against the PCI Secure SLC Standard and to manage and maintain Secure SLC Qualified Vendor status once obtained; Processes for Secure SLC Assessor Companies to assess candidate Secure SLC Qualified Vendors and their secure software development lifecycle processes, procedures, and practices for compliance with the PCI Secure SLC Standard; Quality assurance processes for Secure SLC Assessor Companies.
Vendors that are successfully validated against the PCI Secure SLC Standard for Program purposes (“Secure SLC Qualified Vendors”) have demonstrated to the applicable Assessor their validated secure software development life cycle processes, procedures and practices are in compliance with the PCI Secure SLC Standard. Secure SLC Qualified Vendors are then listed on PCI SSC’s list of Secure SLC Qualified Vendors on the Website (the “List of Secure SLC Qualified Vendors” or “List”).
Although not required for …
Vendors that are successfully validated against the PCI Secure SLC Standard for Program purposes (“Secure SLC Qualified Vendors”) have demonstrated to the applicable Assessor their validated secure software development life cycle processes, procedures and practices are in compliance with the PCI Secure SLC Standard. Secure SLC Qualified Vendors are then listed on PCI SSC’s list of Secure SLC Qualified Vendors on the Website (the “List of Secure SLC Qualified Vendors” or “List”).
Although not required for …
Added
p. 11
• Perform a gap analysis between the Secure SLC methods, policies, procedures, practices, etc. to be assessed and the requirements of the PCI Secure SLC Standard;
• Correct any gaps; and
• If desired, the Vendor can engage the Secure SLC Assessor Company to perform a pre- assessment or gap analysis of the Vendor’s software lifecycle practices. If the Assessor notes deficiencies that would prevent a compliant result, the Assessor may provide the candidate with a list of items to be addressed before the formal Assessment begins.
Documentation including policies and processes, internal standards, requirement mappings, internal presentations, training materials, or any other documentation or records that clearly and consistently illustrate that the Vendor has made reasonable efforts to understand and monitor its external security and compliance requirements; Software-specific documentation, features lists, software-specific security control inventories, change-management documentation, risk assessment reports, penetration test results, output from active monitoring systems, bug bounty program data, …
• Correct any gaps; and
• If desired, the Vendor can engage the Secure SLC Assessor Company to perform a pre- assessment or gap analysis of the Vendor’s software lifecycle practices. If the Assessor notes deficiencies that would prevent a compliant result, the Assessor may provide the candidate with a list of items to be addressed before the formal Assessment begins.
Documentation including policies and processes, internal standards, requirement mappings, internal presentations, training materials, or any other documentation or records that clearly and consistently illustrate that the Vendor has made reasonable efforts to understand and monitor its external security and compliance requirements; Software-specific documentation, features lists, software-specific security control inventories, change-management documentation, risk assessment reports, penetration test results, output from active monitoring systems, bug bounty program data, …
Added
p. 14
Vendor initiates the process by selecting a Secure SLC Assessor Company from the Website and negotiates any costs and agreements necessary to perform the Assessment with the Secure SLC Assessor Company. The Vendor and Secure SLC Assessor Company determine the scope of the Assessment. The Secure SLC Assessor Company assesses the Vendor’s secure SLC processes, including planning, development, testing, implementation, maintenance, patching, etc. to determine whether the Vendor meets the requirements of the PCI Secure SLC Standard. If the Secure SLC Assessor Company determines that the Vendor’s secure SLC processes satisfy all applicable requirements, it prepares a corresponding Secure SLC Report on Compliance (ROC) including all test results, opinions, and conclusions along with an Attestation of Compliance (AOC), and submits them to PCI SSC for review. PCI SSC issues an invoice to the Vendor for review of the submission. Once PCI SSC receives full payment of the invoice from the …
Added
p. 15
Figure 1. Secure SLC Assessment and Listing Process
Added
p. 17
Note: Annual attestation submissions received more than 30 calendar days past the annual attestation date will be assessed a late fee (Secure SLC Qualified Vendor Annual Attestation Late Fee, as listed in the PCI SSC Programs Fee Schedule).
If the Vendor wishes to remain on the List of Secure SLC Qualified Vendors, the Vendor must engage a Secure SLC Assessor Company to perform a new full Assessment against the then-current version of the PCI Secure SLC Standard, resulting in a new Acceptance on or before the re-assessment date. This new full Assessment must follow the same process as an initial Secure SLC Qualified Vendor Assessment.
Expiry: List of Secure SLC Qualified Vendors for which a new Acceptance has not occurred on or before the applicable re-assessment date will appear in Orange for the first 90 calendar days past re-assessment, and in Red thereafter.
The process flow for Vendor Re-Assessment is illustrated in Figure …
If the Vendor wishes to remain on the List of Secure SLC Qualified Vendors, the Vendor must engage a Secure SLC Assessor Company to perform a new full Assessment against the then-current version of the PCI Secure SLC Standard, resulting in a new Acceptance on or before the re-assessment date. This new full Assessment must follow the same process as an initial Secure SLC Qualified Vendor Assessment.
Expiry: List of Secure SLC Qualified Vendors for which a new Acceptance has not occurred on or before the applicable re-assessment date will appear in Orange for the first 90 calendar days past re-assessment, and in Red thereafter.
The process flow for Vendor Re-Assessment is illustrated in Figure …
Added
p. 18
Figure 2a & 2b. Secure SLC Qualified Vendor Annual Attestation and Re-Assessment
Figure 3. Updates to Secure SLC Qualified Vendor Listings
Figure 3. Updates to Secure SLC Qualified Vendor Listings
Added
p. 20
The Vendor prepares a change analysis using the Secure SLC Change Impact Template (“Change Impact Template”) in Appendix B.
Minimum required information:
Minimum required information:
Name and reference number of the Vendor Listing Description of the change “Type of Change” selected on template is “Administrative” Administrative Change submission process:
The Vendor prepares and signs the corresponding AOC (and new VRA if applicable) and sends it to the PCI SSC Software Security Framework Program Manager with the Change Impact Template. PCI SSC will then issue an invoice to the Vendor for the applicable change fee; and Upon payment of the invoice, PCI SSC will review the Administrative change submission. Should there be quality issues associated with any aspect of the submission, PCI SSC will provide these details to the Vendor and work with them to resolve.
• PCI SSC reserves the right to reject any change submission if it determines that a change described therein and …
Minimum required information:
Minimum required information:
Name and reference number of the Vendor Listing Description of the change “Type of Change” selected on template is “Administrative” Administrative Change submission process:
The Vendor prepares and signs the corresponding AOC (and new VRA if applicable) and sends it to the PCI SSC Software Security Framework Program Manager with the Change Impact Template. PCI SSC will then issue an invoice to the Vendor for the applicable change fee; and Upon payment of the invoice, PCI SSC will review the Administrative change submission. Should there be quality issues associated with any aspect of the submission, PCI SSC will provide these details to the Vendor and work with them to resolve.
• PCI SSC reserves the right to reject any change submission if it determines that a change described therein and …
Added
p. 21
The Vendor prepares and signs the corresponding AOC (and new VRA if applicable) and sends it to the PCI SSC Software Security Framework Program Manager with the Change Impact Template. PCI SSC will then issue an invoice to the Vendor for the applicable change fee; and Upon payment of the invoice, PCI SSC will review the Designated Change submission. Should there be quality issues associated with any aspect of the submission, PCI SSC will communicate them to the Vendor.
• PCI SSC reserves the right to reject any change submission if it determines that a change described therein and purported to be a Designated Change by the Vendor is ineligible for treatment as a Designated Change.
• New VRA* * If applicable.
• PCI SSC reserves the right to reject any change submission if it determines that a change described therein and purported to be a Designated Change by the Vendor is ineligible for treatment as a Designated Change.
• New VRA* * If applicable.
Added
p. 21
For any change affecting the Listing of a Secure SLC Qualified Vendor, the applicable fee will be invoiced and must be received by PCI SSC for the changes to be reviewed, Accepted, and added to the List of Secure SLC Qualified Vendors.
A Vendor must already be identified on the List and not yet have passed its re-assessment date to have a change Accepted and reflected on the List.
A Vendor must already be identified on the List and not yet have passed its re-assessment date to have a change Accepted and reflected on the List.
Added
p. 25
Figure 4. Secure SLC Qualified Vendor QA Programs for Report Reviews 7.2.4 ROC Submission Reviews
Added
p. 28
A.3 Product Category Only Vendors of Payment Software and other Eligible Software may seek validation as Secure SLC Qualified Vendors (see definitions of Payment Software and Eligible Software in Section 1 of the Program Guide). The Vendor must choose the category that best describes the primary function of the software, applications or components developed using the validated Secure SLC process from the list below.
POS Admin Eligible Software that administers or manages POS applications.
POS Admin Eligible Software that administers or manages POS applications.
Modified
p. 3 → 5
The PCI Secure SLC Standard is part of the PCI Software Security Framework (“SSF”). This Program Guide details information pertinent to the roles of SSF Assessor Companies authorized by PCI SSC to perform Secure SLC Assessments under the Program (“Secure SLC Assessor Companies” or “Assessors”), and their employees who are qualified by PCI SSC to perform such Assessments (“Secure SLC Employees”).
The PCI Secure SLC Standard is part of the PCI Software Security Framework (“SSF”). This Program Guide details information pertinent to the roles of SSF Assessor Companies authorized by PCI SSC to perform Secure SLC Assessments under the Program (“Secure SLC Assessor Companies” ), and their employees who are qualified by PCI SSC to perform such Assessments (“Secure SLC Assessors”).
Modified
p. 3 → 5
Companies and individuals wishing to become qualified by PCI SSC to perform Secure SLC Assessments should first consult the Payment Card Industry (PCI) Software Security Framework Qualification Requirements for Assessors on the Website (the “SSF Qualification Requirements”).
Companies and individuals wanting to become qualified by PCI SSC to perform Secure SLC Assessments should first consult the Payment Card Industry (PCI) Software Security Framework Qualification Requirements for Assessors on the Website (the “SSF Qualification Requirements”).
Modified
p. 3 → 5
Capitalized terms used but not otherwise defined herein have the meanings set forth in the PCI Secure Software Qualification Requirements, as applicable.
Capitalized terms used but not otherwise defined herein have the meanings set forth in the SSF Qualification Requirements, as applicable.
Removed
p. 4
PCI SSC Programs Fee Schedule Lists the current fees for specific qualifications, tests, retests, training, and other services.
Modified
p. 4 → 5
Document name Description Payment Card Industry (PCI) Software Security Framework Secure Software Life Cycle Requirements and Assessment Procedures (“PCI Secure SLC Standard”) Defines a baseline set of specific technical requirements and assessment procedures against which vendors must be successfully assessed to be qualified by PCI SSC as Secure SLC Qualified Vendors.
Document Name Description Payment Card Industry (PCI) Software Security Framework Secure Software Lifecycle Requirements and Assessment Procedures (“PCI Secure SLC Standard”) Defines a baseline set of specific technical requirements and assessment procedures against which Vendors must be successfully assessed to be qualified by PCI SSC as Secure SLC Qualified Vendors.
Modified
p. 4 → 6
Vendor Release Agreement (“VRA”) Establishes the terms and conditions under which Secure SLC Qualified Vendor participate in the Program.
Vendor Release Agreement (“VRA”) Establishes the terms and conditions under which a Secure SLC Qualified Vendor participates in the Program.
Modified
p. 4 → 6
Secure SLC Assessor Feedback Form Template document made available by PCI SSC and required to be provided by Assessors to their Vendor customers to solicit feedback regarding such Assessors and their Assessment process.
PCI SSC Programs Fee Schedule The current lists of PCI SSC Program fees for specific qualifications, tests, retests, training, and other services available at: https://www.pcisecuritystandards.org/program_training_and_qua lification/fees Secure SLC Assessor Feedback Form Template document made available by PCI SSC and required to be provided by Assessors to their Vendor customers to solicit feedback regarding such Assessors and their Assessment process.
Removed
p. 6
4. Secure SLC Initiative and Overview At a high level, this Program Guide addresses the following:
• Vendor secure payment software development life cycle management security requirements and assessment procedures
• Processes for Secure SLC Assessor Companies to validate whether Vendors comply with the PCI Secure SLC Standard
• Quality assurance processes for Secure SLC Assessor Companies Vendors that are successfully validated against the PCI Secure SLC Standard for Program purposes (“Secure SLC Qualified Vendors”) have demonstrated to the applicable Assessor their validated secure payment software development life cycle processes, procedures and practices are in compliance with the PCI Secure SLC Standard.
Secure SLC Qualified Vendors are:
• Identified on PCI SSC’s list of Secure SLC Qualified Vendors on the Website (the “List of Secure SLC Qualified Vendors” or “List”); and
• Vendor secure payment software development life cycle management security requirements and assessment procedures
• Processes for Secure SLC Assessor Companies to validate whether Vendors comply with the PCI Secure SLC Standard
• Quality assurance processes for Secure SLC Assessor Companies Vendors that are successfully validated against the PCI Secure SLC Standard for Program purposes (“Secure SLC Qualified Vendors”) have demonstrated to the applicable Assessor their validated secure payment software development life cycle processes, procedures and practices are in compliance with the PCI Secure SLC Standard.
Secure SLC Qualified Vendors are:
• Identified on PCI SSC’s list of Secure SLC Qualified Vendors on the Website (the “List of Secure SLC Qualified Vendors” or “List”); and
Modified
p. 6 → 7
Secure SLC Qualified Vendors with software listed on the PCI SSC List of Validated Payment Software are authorized to perform certain types of “Delta Assessments” (See Payment Card Industry (PCI) Software Security Framework Secure Software Program Guide on the Website) of their own software products under the Program with reduced Assessor participation, where those software products (a) are listed on the PCI SSC List of Validated Payment Software that has been successfully validated against the PCI Secure Software Standard and …
Modified
p. 6 → 7
Note: The PCI Secure SLC Standard is one of many separate and independent standards published by PCI SSC (each a “PCI SSC Standard”), such as the PCI DSS. Validation to the PCI Secure SLC Standard does not imply compliance with, or result in validation to, any other PCI SSC Standard, including but not limited to the PCI DSS.
Removed
p. 7
• Selecting a Secure SLC Assessor Company to perform the initial Assessment and re-qualification Assessments every three years of the Vendor’s secure software lifecycle management (“Secure SLC”) processes against the PCI Secure SLC Standard;
• Ensuring policies and processes that govern how the Vendor manages and supports its Secure SLC processes for Payment Software are in place and followed consistently;
• Ensuring all tools, technologies, and techniques used to support and manage the Secure SLC are properly managed to ensure continued effectiveness;
• Managing personnel involved in the design and development of the Payment Software throughout its lifecycle, including applicable Vendor personnel and third-party contributors;
• Complying with the Vendor Release Agreement (VRA), including the adoption and implementation of Vulnerability Handling Policies consistent with industry best practices;
• Submitting their Secure SLC methodology, policies, procedures and supporting documentation to the Secure SLC Assessor Company for review. Per the VRA, Vendors authorize the Secure SLC Assessor …
• Ensuring policies and processes that govern how the Vendor manages and supports its Secure SLC processes for Payment Software are in place and followed consistently;
• Ensuring all tools, technologies, and techniques used to support and manage the Secure SLC are properly managed to ensure continued effectiveness;
• Managing personnel involved in the design and development of the Payment Software throughout its lifecycle, including applicable Vendor personnel and third-party contributors;
• Complying with the Vendor Release Agreement (VRA), including the adoption and implementation of Vulnerability Handling Policies consistent with industry best practices;
• Submitting their Secure SLC methodology, policies, procedures and supporting documentation to the Secure SLC Assessor Company for review. Per the VRA, Vendors authorize the Secure SLC Assessor …
Modified
p. 7 → 8
Maintaining the list of Secure SLC Qualified Vendors on the Website; Maintaining the lists of Secure SLC Assessor Companies and Secure SLC Assessors on the Website; Providing training for and qualifying Secure SLC Assessor Companies and Secure SLC Assessors to perform Secure SLC Assessments; Maintaining and updating the PCI Secure SLC Standard and related documentation according to a standards lifecycle management process; and Reviewing all submissions to be provided to PCI SSC as part of the Program, such as Vendor …
Modified
p. 7 → 9
• Maintaining the lists of Secure SLC Assessor Companies and Secure SLC Employees on the Website;
• Secure SLC Assessor Companies adequately report Secure SLC compliance of Vendors in their associated submissions; and
Removed
p. 8
• Ensuring that the Secure SLC Assessor Company and its Secure SLC Employees remain in good standing for Program purposes;
• Ensuring that its Secure SLC Employees each complete all required Secure SLC Employee training:
− All qualified Secure SLC Assessor Companies are listed on the Website. Only the Secure SLC Employees of a Secure SLC Assessor Company that meets the above criteria are recognized by PCI SSC as qualified to perform Secure SLC Assessments for that Secure SLC Assessor Company.
• Performing Secure SLC Assessments in accordance with the PCI Secure SLC Standard, this Program Guide, the SSF Qualification Requirements and the SSF Agreement;
• Providing an opinion regarding whether the Secure SLC Assessor Company’s Vendor customer meets the intent and requirements of the PCI Secure SLC Standard;
• Documenting each Secure SLC Assessment in a ROC and accompanying Attestation of Compliance (“AOC”) using the Secure SLC ROC Report and AOC Templates;
• Providing documentation …
• Ensuring that its Secure SLC Employees each complete all required Secure SLC Employee training:
− All qualified Secure SLC Assessor Companies are listed on the Website. Only the Secure SLC Employees of a Secure SLC Assessor Company that meets the above criteria are recognized by PCI SSC as qualified to perform Secure SLC Assessments for that Secure SLC Assessor Company.
• Performing Secure SLC Assessments in accordance with the PCI Secure SLC Standard, this Program Guide, the SSF Qualification Requirements and the SSF Agreement;
• Providing an opinion regarding whether the Secure SLC Assessor Company’s Vendor customer meets the intent and requirements of the PCI Secure SLC Standard;
• Documenting each Secure SLC Assessment in a ROC and accompanying Attestation of Compliance (“AOC”) using the Secure SLC ROC Report and AOC Templates;
• Providing documentation …
Modified
p. 8 → 9
Note: PCI SSC does not perform Assessments of or validate Vendors; Assessment and validation is the role of the Secure SLC Assessor Company and its Secure SLC Employees. Vendor listing on the List of Secure SLC Qualified Vendors signifies that the applicable Secure SLC Assessor Company has determined that the Vendor complies with the PCI Secure SLC Standard, that the Secure SLC Assessor Company has submitted a corresponding ROC to PCI SSC, and that PCI SSC has determined that such …
Note: PCI SSC does not perform Assessments of or validate Vendors. Assessment and validation is the role of the Secure SLC Assessor Company and its Secure SLC Assessors. Vendor listing on the List of Secure SLC Qualified Vendors signifies that the applicable Secure SLC Assessor Company has determined that the Vendor complies with the PCI Secure SLC Standard, that the Secure SLC Assessor Company has submitted a corresponding ROC to PCI SSC, and that PCI SSC has determined that such …
Removed
p. 9
• Staying up to date with PCI SSC statements and guidance, industry trends, and best practices; and
Modified
p. 9 → 10
It is the Secure SLC Assessor Company’s responsibility to assess a Vendor’s Secure SLC processes for compliance with the PCI Secure SLC Standard, and document its findings and opinions in the applicable ROC using the applicable ROC report template. PCI SSC does not approve ROCs from a technical perspective; it performs quality assurance reviews to confirm that the ROC adequately documents the Assessor’s validation and attestation of compliance.
It is the Secure SLC Assessor Company’s responsibility to assess a Vendor’s Secure SLC processes for compliance with the PCI Secure SLC Standard and document its findings and opinions in the applicable ROC using the applicable ROC report template. PCI SSC does not approve ROCs from a technical perspective; it performs quality assurance reviews to confirm that the ROC adequately documents the Assessor’s validation and attestation of compliance.
Modified
p. 9 → 10
Note: For a given Secure SLC Assessment, the supporting Third-Party Service Provider product(s) or service(s) are considered part of the Vendor’s overall Secure SLC processes, are evaluated/assessed as part of the Vendor’s entire secure software lifecycle process Assessment, and are not eligible for separate listing as part of the Secure SLC Program.
Note: For a given Secure SLC Assessment, the supporting Third-Party Service Provider product(s) or service(s) are considered part of the Vendor’s overall Secure SLC processes, are evaluated/assessed as part of the Vendor’s entire secure software lifecycle process Assessment and are not eligible for separate listing as part of the Secure SLC Program.
Removed
p. 10
6. Overview of Secure SLC Validation Processes 6.1 Secure SLC Assessments Secure SLC Assessments are performed by Secure SLC Assessor Companies. Secure SLC Assessments involve a detailed analysis of the Vendor’s Secure SLC processes and are intended to validate whether the Vendor meets the requirements of the PCI Secure SLC Standard. See Section 8, “Maintaining Secure SLC Qualification Vendor Status,” for more information.
Removed
p. 10
• Vendor initiates the process by selecting a Secure SLC Assessor Company from the Website and negotiates any costs and agreements necessary to perform the Assessment with the Secure SLC Assessor Company.
• The Secure SLC Assessor Company assesses the Vendor’s Secure SLC processes, including planning, development, testing, implementation, maintenance, patching, etc. to determine whether the Vendor meets the requirements of the PCI Secure SLC Standard.
• If the Secure SLC Assessor Company determines that the Vendor’s Secure SLC processes satisfy all applicable requirements, it prepares a corresponding Report on Compliance (ROC) including all test results, opinions, and conclusions along with an Attestation of Compliance (AOC), and submits them to PCI SSC for review.
• PCI SSC issues an invoice to the Vendor for review of the submission. The invoice must be paid in full before PCI SSC will commence the submission review process.
• PCI SSC reviews the submission, including the ROC, all …
• The Secure SLC Assessor Company assesses the Vendor’s Secure SLC processes, including planning, development, testing, implementation, maintenance, patching, etc. to determine whether the Vendor meets the requirements of the PCI Secure SLC Standard.
• If the Secure SLC Assessor Company determines that the Vendor’s Secure SLC processes satisfy all applicable requirements, it prepares a corresponding Report on Compliance (ROC) including all test results, opinions, and conclusions along with an Attestation of Compliance (AOC), and submits them to PCI SSC for review.
• PCI SSC issues an invoice to the Vendor for review of the submission. The invoice must be paid in full before PCI SSC will commence the submission review process.
• PCI SSC reviews the submission, including the ROC, all …
Modified
p. 10 → 12
Whether the Vendor’s Secure SLC processes and procedures meet all requirements of the PCI Secure SLC Standard at the start of the Assessment
Removed
p. 15
7. Preparation for the Review 7.1 Secure SLC Prior to the Review Prior to commencing a Secure SLC Assessment with a Secure SLC Assessor Company, Vendors are encouraged to take the following preparatory actions:
• Determine/assess their readiness to comply with the PCI Secure SLC Standard:
− Perform a gap analysis between their Secure SLC methods, policies, procedures, practices, etc. and the requirements of the PCI Secure SLC Standard; − Correct any gaps; and − If desired, the Secure SLC Assessor Company may perform a pre-assessment or gap analysis of the Vendor’s software lifecycle practices. If the Assessor notes deficiencies that would prevent a compliant result, the Assessor may provide the candidate with a list of items to be addressed before the formal Assessment begins.
Examples of documentation and other items to submit to the Secure SLC Assessor Company include, but are not limited to:
• Documentation including policies and processes, internal standards, requirement …
• Determine/assess their readiness to comply with the PCI Secure SLC Standard:
− Perform a gap analysis between their Secure SLC methods, policies, procedures, practices, etc. and the requirements of the PCI Secure SLC Standard; − Correct any gaps; and − If desired, the Secure SLC Assessor Company may perform a pre-assessment or gap analysis of the Vendor’s software lifecycle practices. If the Assessor notes deficiencies that would prevent a compliant result, the Assessor may provide the candidate with a list of items to be addressed before the formal Assessment begins.
Examples of documentation and other items to submit to the Secure SLC Assessor Company include, but are not limited to:
• Documentation including policies and processes, internal standards, requirement …
Modified
p. 15 → 11
Review the PCI Secure SLC Standard and related documentation located on the Website; Determine/assess readiness to comply with the PCI Secure SLC Standard:
Modified
p. 15 → 11
In connection with each Assessment, the Vendor must provide the applicable supporting documentation to the Secure SLC Assessor Company and not to PCI SSC.
In connection with each Assessment, the Vendor must provide the applicable supporting documentation to the Secure SLC Assessor Company. Examples of documentation and other items the Vendor should be prepared to submit to the Secure SLC Assessor Company include, but are not limited to:
Modified
p. 15 → 11
Note: The Secure SLC Assessor Company may request additional material as necessary.
Note: The Secure SLC Assessor Company may request additional material as necessary (no Vendor documentation supporting the assessment is sent directly to PCI SSC).
Modified
p. 16 → 12
• Whether the Vendor’s Secure SLC processes and procedures meet all requirements of the PCI Secure SLC Standard at the start of the Assessment − Corrections to the Vendor’s Secure SLC processes to achieve compliance will delay validation.
• Corrections to the Vendor’s Secure SLC processes to achieve compliance will delay validation.
Modified
p. 16 → 12
• Prompt payment of the fee due to PCI SSC − PCI SSC will not commence review of the ROC until the applicable fee has been paid.
• PCI SSC will not commence review of the ROC until the applicable fee has been paid.
Modified
p. 16 → 12
• Quality of the Secure SLC Assessor Company's submission to PCI SSC − Incomplete submissions or those containing errors, for example, missing or unsigned documents, incomplete, inconsistent, or insufficient submissions, will result in delays in the review process.
• Incomplete submissions or those containing errors, for example, missing or unsigned documents, incomplete, inconsistent, or insufficient submissions, will result in delays in the review process.
Modified
p. 16 → 12
• If the quality of the submission results in PCI SSC reviewing the ROC more than once, providing comments back to the Secure SLC Assessor Company to address each time, this will increase the length of time for the review process.
Modified
p. 16 → 12
Any Assessment timeframes provided by a Secure SLC Assessor Company should be considered estimates. Problems found during the review or acceptance, discussions required between the Secure SLC Assessor, the Vendor, and/or PCI SSC, or other matters may significantly impact review times and cause delays and/or cause the review to end prematurely.
Any Assessment timeframes provided by a Secure SLC Assessor Company should be considered estimates. Problems found during the review or acceptance process, discussions required between the Secure SLC Assessor, the Vendor, and/or PCI SSC, or other matters may significantly impact review times and cause delays and/or cause the review to end prematurely.
Modified
p. 17 → 13
PCI SSC will bill the Vendor for the Secure SLC Vendor Acceptance Fee⎯the Vendor pays this fee directly to PCI SSC.
PCI SSC will bill the Vendor for the New Secure SLC Vendor Listing Fee⎯the Vendor pays this fee directly to PCI SSC.
Removed
p. 18
• If the updated and complete AOC is received within this 90-day period, PCI SSC will update the corresponding Listing’s annual attestation date with the new date and remove the Orange status.
Modified
p. 18 → 16
The Secure SLC Qualified Vendor is required to consider the impact of external threats and whether updates to its Secure SLC processes are necessary to address changes to the external threat environment. The updated AOC and any applicable documentation are submitted by the Secure SLC Qualified Vendor to the PCI SSC Secure SLC Program Manager via the secure submission website designated by PCI SSC for the Program (the “Portal”) (described further in Section 9.2 below). An updated AOC must be …
The Secure SLC Qualified Vendor is required to consider the impact of external threats and whether updates to its Secure SLC processes are necessary to address changes to the external threat environment. The updated AOC and any applicable documentation are submitted by the Secure SLC Qualified Vendor to the PCI SSC Secure SLC Program Manager. An updated AOC must be submitted to PCI SSC ahead of the annual attestation date. PCI SSC will typically review and respond regarding such submittals …
Modified
p. 18 → 16
Fourteen (14) calendar days following the annual attestation date, the corresponding Listing will be updated to show the Listing’s annual attestation
Modified
p. 18 → 16
Note: PCI SSC reserves the right to withdraw Acceptance as indicated in Section 8.4 if a suspected vulnerability/security issue takes place.
Note: PCI SSC reserves the right to withdraw Acceptance as indicated in Section 6.5 if a suspected vulnerability/ security issue takes place.
Removed
p. 19
• If the updated and complete AOC is not received within this 90-day period, the corresponding Listing’s annual attestation date will be updated to show the date in Red.
New Validation: If the Vendor wishes to remain on the List of Secure SLC Qualified Vendors, the Vendor must engage a Secure SLC Assessor Company to perform a new full Validation against the then-current version of the PCI Secure SLC Standard, resulting in a new Acceptance on or before the re-assessment date. This new Validation must follow the same process as an initial Secure SLC Vendor Validation. Expiry: List of Secure SLC Qualified Vendors for which a new Acceptance has not occurred on or before the applicable re-assessment date will appear in Orange for the first 90 days past re-assessment, and in Red thereafter.
New Validation: If the Vendor wishes to remain on the List of Secure SLC Qualified Vendors, the Vendor must engage a Secure SLC Assessor Company to perform a new full Validation against the then-current version of the PCI Secure SLC Standard, resulting in a new Acceptance on or before the re-assessment date. This new Validation must follow the same process as an initial Secure SLC Vendor Validation. Expiry: List of Secure SLC Qualified Vendors for which a new Acceptance has not occurred on or before the applicable re-assessment date will appear in Orange for the first 90 days past re-assessment, and in Red thereafter.
Removed
p. 19
For any change affecting the Listing of a qualified Vendor, the applicable fee will be invoiced and must be received by PCI SSC for the changes to be reviewed, Accepted, and added to the List of Secure SLC Qualified Vendors.
There is no PCI SSC fee associated with the processing of annual attestations. All Secure SLC Program fees are posted on the Website. Secure SLC Program fees are non-refundable and are subject to change upon posting of revised fees on the Website.
A Vendor must already be identified on the List and not yet have passed its re- assessment date in order to have a change Accepted and reflected on the List.
There is no PCI SSC fee associated with the processing of annual attestations. All Secure SLC Program fees are posted on the Website. Secure SLC Program fees are non-refundable and are subject to change upon posting of revised fees on the Website.
A Vendor must already be identified on the List and not yet have passed its re- assessment date in order to have a change Accepted and reflected on the List.
Modified
p. 19 → 17
Once in Red, a full Assessment (including applicable fees) is required to return the Secure SLC Qualified Vendor Listing status to good standing.
Modified
p. 19 → 17
The process flow for annual attestation is detailed in Figure 2.
The process flow for Vendor Annual Attestation is illustrated in Figure 2a.
Modified
p. 19 → 17
Note: If a Vendor fails to meet the requirements of a full Evaluation, its Secure SLC Qualified Vendor status is revoked, and the Vendor’s Listing will be removed from the Website.
Note: If a Vendor fails to meet the requirements of a full Assessment, its Secure SLC Qualified Vendor status is revoked, and the Vendor’s Listing will be removed from the Website.
Removed
p. 20
Examples of administrative changes include, but are not limited to, corporate identity changes and changes to Listing details such as “Description.” See Section 8.5.1, “Administrative Changes for Listings of Secure SLC Qualified Vendors,” for details.
• Add or remove a Product Category used in Secure SLC development See Section 8.5.2, “Designated Changes for Secure SLC Qualified Vendor Listing” for details.
• Add or remove a Product Category used in Secure SLC development See Section 8.5.2, “Designated Changes for Secure SLC Qualified Vendor Listing” for details.
Modified
p. 20 → 19
Table 8.5
• Changes to Secure SLC Qualified Vendor Listing Change Type Description Administrative Changes made to a listed Vendor that have no impact on the Vendor’s compliance with the PCI Secure SLC Standard, but where the Listing of Secure SLC Qualified Vendors is updated to reflect the change.
•
Table 1. Changes to Secure SLC Qualified Vendor Listing Change Type Description Administrative Changes made to a listed Vendor that have no impact on the Vendor’s compliance with the PCI Secure SLC Standard, but where the Listing of Secure SLC Qualified Vendors is updated to reflect the change. Examples of administrative changes include, but are not limited to, corporate identity changes and changes to Listing details. See Section 6.3.1, Administrative Changes for Secure SLC Qualified Vendor Listings for details.
Modified
p. 20 → 19
Designated Designated Changes are for changes to the Vendor’s Listing that are limited to:
Designated Designated Changes are for changes to the Vendor’s Listing that are limited to: Add or remove a Product Category used in Secure SLC development See Section 6.3.2, Designated Changes for Secure SLC Qualified Vendor Listings for details.
Modified
p. 20 → 19
The process flows for the Updates to Secure SLC Qualified Vendor Listings process are detailed in Figure 3.
The process flow for Updates to Secure SLC Qualified Vendor Listings is illustrated in Figure 3.
Modified
p. 20
Administrative Changes are limited to updates where no changes to a listed Vendor’s Secure SLC processes have occurred, but the Vendor wishes to request a change to the way the Vendor is currently listed on the Website. See Section 8.5.3, “Change Documentation,” for a summary of what is to be provided.
Administrative Changes are limited to updates where no changes to a listed Vendor’s Secure SLC processes have occurred, but the Vendor wishes to request a change to the way the Vendor is currently listed on the Website. See Section 6.3.3, Maintenance Documentation Summary List for a summary of what is to be provided.
Removed
p. 21
• Name and reference number of the Vendor Listing
• Description of the change
• Description of the change
• Designation of whether the change is Administrative or Designated If the Council agrees that the change as documented by the Vendor is eligible as an Administrative Change:
1. The Vendor prepares the change documentation, signs the corresponding AOC and sends it to the Council;
2. If applicable, the Vendor completes a new VRA;
3. PCI SSC will then issue an invoice to the Vendor for the applicable change fee; and
4. Upon payment of the invoice, PCI SSC will review the submission.
If the Council does not agree with the Vendor that the change is eligible as an Administrative Change, the Council works with the Vendor to consider the actions necessary to address the observations.
Should there be quality issues associated with any aspect of the submission, PCI SSC will communicate them to the Vendor. PCI SSC reserves the …
• Description of the change
• Description of the change
• Designation of whether the change is Administrative or Designated If the Council agrees that the change as documented by the Vendor is eligible as an Administrative Change:
1. The Vendor prepares the change documentation, signs the corresponding AOC and sends it to the Council;
2. If applicable, the Vendor completes a new VRA;
3. PCI SSC will then issue an invoice to the Vendor for the applicable change fee; and
4. Upon payment of the invoice, PCI SSC will review the submission.
If the Council does not agree with the Vendor that the change is eligible as an Administrative Change, the Council works with the Vendor to consider the actions necessary to address the observations.
Should there be quality issues associated with any aspect of the submission, PCI SSC will communicate them to the Vendor. PCI SSC reserves the …
Modified
p. 21 → 20
• Update the Vendor’s Listing to reflect with the new information; and
Modified
p. 21 → 20
• Sign and return a copy of the corresponding AOC to the Vendor.
Modified
p. 21 → 20
Designated Changes are amendments made only to a Vendor’s current Listing to:
Designated Changes are amendments made only to a Vendor’s current Listing to add or remove a category used by the Vendor in its validated and Accepted Secure SLC development lifecycle.
Removed
p. 22
2. PCI SSC will then issue an invoice to the Vendor for the applicable change fee; and
3. Upon payment of the invoice, PCI SSC will review the Designated Change submission.
Should there be quality issues associated with any aspect of the submission, PCI SSC will communicate them to the Vendor. PCI SSC reserves the right to reject any change submission if it determines that a change described therein and purported to be a Designated Change by the Vendor is ineligible for treatment as a Designated Change.
3. Upon payment of the invoice, PCI SSC will review the Designated Change submission.
Should there be quality issues associated with any aspect of the submission, PCI SSC will communicate them to the Vendor. PCI SSC reserves the right to reject any change submission if it determines that a change described therein and purported to be a Designated Change by the Vendor is ineligible for treatment as a Designated Change.
Modified
p. 22 → 21
• Sign and return a copy of the corresponding AOC to the Vendor.
Modified
p. 22 → 21
• Update the Vendor’s Listing to reflect the new information; and
Modified
p. 22 → 21
• Change Impact document**
• Change Impact Template**
Modified
p. 22 → 21
** The Change Impact Template in Appendix B is mandatory for the Vendor when submitting Administrative and Designated Changes to PCI SSC.
Modified
p. 23
PCI SSC communicates any quality issues associated with ROCs to the Secure SLC Assessor Company. PCI SSC endeavors to communicate in real time when possible. It is the responsibility of the Secure SLC Assessor Company to resolve the issues with PCI SSC and/or the Vendor, as applicable. Such issues may be limited or more extensive; limited issues may simply require updating the ROC to reflect adequate documentation to support the Secure SLC Assessor Company’s decisions, whereas more extensive issues may …
PCI SSC communicates any quality issues associated with ROCs to the Secure SLC Assessor Company. PCI SSC endeavors to communicate in real time when possible. It is the responsibility of the Secure SLC Assessor Company to resolve the issues with PCI SSC and/or the Vendor, as applicable. Such issues may be limited or more extensive; limited issues may simply require updating the ROC to reflect adequate documentation to support the Secure SLC Assessor Company’s decisions, whereas more extensive issues may …
Removed
p. 24
• Product Categories (specifying categories of Payment Software developed by the Vendor in accordance with the Vendor’s validated Secure SLC process
• Validation Notes (Secure SLC version)
• Secure SLC Qualified Vendor Program qualification date
• Validation Notes (Secure SLC version)
• Secure SLC Qualified Vendor Program qualification date
Modified
p. 24
Link to Portal: https://programs.pcissc.org/ 9.2.2 Listing Information The List of Secure SLC Qualified Vendors will contain, at minimum, the information specified below. Each characteristic is detailed in Appendix A: Elements for the List of Secure SLC Qualified Vendors.
Link to Portal: https://programs.pcissc.org/ 7.2.2 Listing Information The List of Secure SLC Qualified Vendors will contain, at minimum, the information specified below. Each characteristic is detailed in Appendix A, Elements for the List of Secure SLC Qualified Vendors:
Modified
p. 24
Secure SLC Qualified Vendor
Modified
p. 24
• Secure SLC Assessor Company 9.2.3 Assessor Quality Management Program Secure SLC Assessor Companies are required to meet all QA standards set by PCI SSC. The various phases of the PCI SSC Assessor Quality Management (AQM) program for Secure SLC Assessor Companies are described below.
• Location Address Product Categories (specifying categories of software developed by the Vendor in accordance with the Vendor’s validated Secure SLC process Validation Notes (Secure SLC version) Secure SLC Qualified Vendor Program qualification date Annual Attestation Re-Assessment Date Secure SLC Assessor Company 7.2.3 Assessor Quality Management Program Secure SLC Assessor Companies are required to meet all QA standards set by PCI SSC. The various phases of the PCI SSC Assessor Quality Management (AQM) program for Secure SLC Assessor Companies are …
Modified
p. 26
If administrative or non-severe quality problems are detected, PCI SSC will generally recommend participation in the Remediation program. Remediation provides an opportunity for Secure SLC Assessor Companies to improve performance by working closely with PCI SSC staff. Additionally, Remediation helps to assure that the baseline standard of quality for Secure SLC Assessor Companies and Secure SLC Employees is maintained.
If administrative or non-severe quality problems are detected, PCI SSC will generally recommend participation in the Remediation program. Remediation provides an opportunity for Secure SLC Assessor Companies to improve performance by working closely with PCI SSC staff. Additionally, Remediation helps to assure that the baseline standard of quality for Secure SLC Assessor Companies and Secure SLC Assessors is maintained.
Removed
p. 28
A.3 Product Category Vendors may have multiple types of Payment Software developed according to their validated Secure SLC process. The Vendor must choose the option which best describes the primary function of the applications developed using the validated Secure SLC process from the list below.
• but are not required to be
•validated as part of a Secure SLC Assessment.
• but are not required to be
•validated as part of a Secure SLC Assessment.
Modified
p. 28
Function Description Automated Fuel Payment Software that provides operation and management of point- of-sale transactions, including processing and/or accounting functions in fuel-dispensing environments.
Function Description Automated Fuel Dispenser Payment Software that provides operation and management of point-of-sale transactions, including processing and/or accounting functions in fuel-dispensing environments.
Modified
p. 28
Card-Not-Present Payment Software that is used by merchants to facilitate transmission and/or processing of payment authorization and/or settlement in card- not-present channels.
Card-Not-Present Payment Software that is used by merchants to facilitate transmission and/or processing of payment authorization and/or settlement in card-not-present channels.
Modified
p. 28
Payment Back Office Software that allows payment data to be used in back-office locations⎯for example, for fraud reporting, marketing, hotel property management, or managing and reporting revenue. While these applications may not be part of authorization and settlement, often they are bundled with Payment Software as software suites and can be
Payment Back Office Eligible Software that allows payment data to be used in back-office locations⎯for example, for fraud reporting, marketing, hotel property management, or managing and reporting revenue. While these applications may not be part of authorization and settlement, often they are bundled with Payment Software as software suites and can be •but are not required to be
•validated as part of a Secure SLC Assessment.
•validated as part of a Secure SLC Assessment.
Modified
p. 28
Payment Gateway/ Payment Software sold or distributed to third parties to facilitate transmission and/or processing of payment authorization and settlement between merchant systems and processors.
Payment Gateway/ Switch Payment Software sold or distributed to third-parties to facilitate transmission and/or processing of payment authorization and settlement between merchant systems and processors.
Removed
p. 29
Card-Not-Present Payment Software that is used by merchants to facilitate transmission and/or processing of payment authorization and/or settlement in card- not-present channels.
Automated Fuel Payment Software that provides operation and management of point- of-sale transactions, including processing and/or accounting functions in fuel dispensing environments.
Payment Component Payment Software that operates as a component of a broader application environment upon which it is dependent to operate. Such software must have distinguishable configuration identifiers that are easily discernible from the broader application environment. Payment software may include, but is not limited to, mobile payment applications or mobile browser payment components.
Automated Fuel Payment Software that provides operation and management of point- of-sale transactions, including processing and/or accounting functions in fuel dispensing environments.
Payment Component Payment Software that operates as a component of a broader application environment upon which it is dependent to operate. Such software must have distinguishable configuration identifiers that are easily discernible from the broader application environment. Payment software may include, but is not limited to, mobile payment applications or mobile browser payment components.
Modified
p. 29 → 28
POS Face-to-Face/POI Point-of-sale Payment Software used by merchants solely for face-to- face or Point of Interaction (POI) payment card transactions. These applications may include middleware, front-office or back-office software, store-management software, etc.
POS Face-to-Face/POI Point-of-sale Payment Software used by merchants solely for face-to-face or Point of Interaction (POI) payment card transactions. These applications may include middleware, front-office or back-office software, store-management software, etc.
Modified
p. 29
POS Suite/General Point-of-sale Payment Software that can be used by merchants for numerous payment channels, including face-to-face, mail- order/telephone-order (MOTO, including call centers), Interactive Voice Response (IVR), Web (for manually entered e-commerce, MOTO, etc., transactions), and EFT/check authentication.
POS Suite/General Point-of-sale Payment Software that can be used by merchants for numerous payment channels, including face-to-face, mail-order/telephone-order (MOTO, including call centers), Interactive Voice Response (IVR), Web (for manually entered e-commerce, MOTO, etc. transactions), and EFT/check authentication.
Modified
p. 31 → 30
Part 1. Secure SLC Qualified Vendor Listing Details, Contact Information and Change Vendor Listing Details Vendor Name Qualified Listing Reference # Type of Change (Please check) Administrative (Complete Part 2) Designated (Complete Part 3) Submission Date Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone Part 2. Details for Administrative Change (if indicated at Part 1) Administrative Change Revision Current Vendor Company Name Revised Vendor Company Name (if applicable) Additional details, as applicable Part 3. Details for Designated Change …
Part 1. Secure SLC Qualified Vendor Listing Details, Contact Information and Change Type Vendor Listing Details Vendor Name Qualified Listing Reference # Type of Change (Check one) Administrative (Complete Part 2) Designated (Complete Part 3) Submission Date Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone Part 2. Details for Administrative Change (if indicated at Part 1) Administrative Change Revision Current Vendor Company Name Revised Vendor Company Name (if applicable) Additional details, as applicable